I was an engineer at Google when the Aurora attacks happened. Until we know more about the attackers and how it was pulled off, we don't know if this was amateur hour security, or if Twitter was facing an Advanced Persistent Threat with multiple 0days and custom malware.

Google used a combination of kerberos, SSH public key auth, client-side SSL certs, and a custom crypto system called Low Overhead Authentication System (LOAS), all of which utilize zero-knowledge proofs rather than sending passwords to the server. Google still got compromised, using a (0day?) Adobe Reader exploit sent via impersonating a co-worker on AIM or MSN Messenger (as I remember).

Let's leave the jury out on this one until we find out what happened.

That's insane. Is there a write-up about the security behind that Google server configuration?

I'm not aware of any such public documentation. Given the sorts of highly capable threats Google is up against, I imagine they want to do everything in their power to slow down attackers.

Also, they don't even allow the codenames of various parts of their infrastructure to be leaked, much less how the parts relate and how they're protected.

I'd really like to see LOAS open-sourced. I imagine that, like Kerberos, it's based on Needham-Schroeder, but I've never seen its source code or any design documentation.